COMMAND
lynx CRLF injection vulnerability
SYSTEMS AFFECTED
?
PROBLEM
A vulnerability was discovered in lynx, a text-mode web browser. The
From Mandrake Linux Security Update Advisory [MDKSA-2003:023]
HTTP queries that lynx constructs are from arguments on the command
line or the $WWW_HOME environment variable, but lynx does not properly
sanitize special characters such as carriage returns or linefeeds.
Extra headers can be inserted into the request because of this, which
can cause scripts that use lynx to fetch data from the wrong site from
servers that use virtual hosting.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1405
SOLUTION
Updates available, check your distro